An ActivityPub Test

Background

In the context of client-to-server interactions via Activity submission, ActivityPub says

Servers MUST return a 201 Created HTTP code

About this Test

This is a Test describing a rule to determine whether an ActivityPub Server is in conformance with the following behaviors required by ActivityPub:

Identifier

The identifier of this test is 723afcbb-118d-433e-8ab4-560ffca93582.

Test Subject

The subject of this test is an ActivityPub Server serving activity submission requests for an ActivityPub Outbox.

The Test Subject can be identified by a URI for an ActivityPub Outbox. The ActivityPub Outbox has an id property and the ActivityPub server is responsible for responding to requests sent to it.

Inputs

This test requires the following inputs:

  1. outbox - identifier of an ActivityPub Outbox

  2. authorization - proof of authorization to submit an activity to the outbox identified by input outbox

  3. submission - ActivityPub message that will be submitted to the Outbox.

Applicability

This test applies to the server hosting the ActivityPub Outbox identified by input outbox and that support requests using HTTP method POST.

If input outbox is not a URI, outcome is inapplicable.

If input outbox URI scheme is not https or http, outcome is inapplicable. (This test may be revised later to handle other URI schemes).

If the server indicates it does not support POST requests, the test outcome MUST be inapplicable.

If the server indicates that the provided input includes insufficient proof of authorization to write to the outbox, the test outcome MUST be a CannotTell.

Test Targets

Expectations

Assumptions

Default Outbox Submission

If an input submission is not provided, the test will use an activity based on Example 2 in ActivityPub. If this causes problems, provide an input submission that will work to produce a 201 response status code and satisfy the requirement being tested.

403 Forbidden Semantics Varies on Authorization

When interpreting a HTTP 403 response resulting sending a POST request to the input outbox, this test varies its outcome depending on whether an input authorization was provided to the test.

A rationale is that HTTP semantics in general defines 403 to mean different things depending on whether authentication credentials were provided in the request:

The 403 (Forbidden) status code indicates that the server understood the request but refuses to fulfill it. A server that wishes to make public why the request has been forbidden can describe that reason in the response content (if any).

If authentication credentials were provided in the request, the server considers them insufficient to grant access. The client SHOULD NOT automatically repeat the request with the same credentials. The client MAY repeat the request with new or different credentials. However, a request might be forbidden for reasons unrelated to the credentials.

RFC9110 HTTP Semantics

When authentication credentials are provided, and the server returns 403, the test outcome is failed. This is based on "If authentication credentials were provided in the request, the server considers them insufficient to grant access" from RFC9110 above. failed seems appropriate for the provided inputs because status 403 communicates that the server received the provided credentials, determined they cannot authorize the request, and that the client SHOULD NOT retrying the request with the same credentials. failed should draw attention to either flawed authorization logic or, more likely, an inappropriate authorization input passed to the test.

If no input authorization is provided, the test outcome is CannotTell. This is because there isn't enough evidence for another outcome, and it's best for a human to take a look at the rest of the result and decide what to do next.

Server implementers are encouraged to review RFC7235 for HTTP Authentication, which describes a way of responding to requests that lack proof of authorization by using a 401 status code + hints about what authorization is required.

Test Cases

These are test cases for this test itself, i.e. each test case is a set of test inputs and the corresponding test results.

simple passed case

inputs

test targets

nginx 404 response body

inputs

test targets

non-URI input outbox

inputs

result

without authorization, response status 401

inputs

test targets

result

response status 405 Method Not Allowed

inputs

test targets

without authorization, response status 403 Forbidden

inputs

test targets

result

with authorization, response status 403 Forbidden

inputs

test targets

result

Glossary

outcome

An outcome is a conclusion that comes from evaluating a test on a test subject. An outcome can be one of the three following types:

Requirements Mapping

Issues

Change Log